mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-25 13:59:25 +01:00
117 lines
4.7 KiB
Markdown
117 lines
4.7 KiB
Markdown
---
|
|
layout: post
|
|
comments: true
|
|
title: "My ufw (Ubuntu/Uncomplicated Firewall) config"
|
|
category: [english]
|
|
tags: [english]
|
|
redirect_from:
|
|
- /ufw/
|
|
- /english/2015/06/12/ufw.html
|
|
robots: noai
|
|
---
|
|
|
|
_This post describes my UFW config and is here so I find it from somewhere and
|
|
with hope that I am told if someone notices something terriby insecure here and
|
|
is able to offer suggestions. This probably will never be perfect._
|
|
|
|
Having firewall is important as you aren't always in your trusted home network
|
|
(that can also be broken into especially if you have WLAN) and with IPv6 your
|
|
devices have public IPv6 addresses. Theoretically your router should include a
|
|
firewall, but at least the Huawei mobile broadband routers or MiFis don't
|
|
include one (and I might be annoyed by it enough to disable it anyway and
|
|
configure everything on host level if it was my network).
|
|
|
|
_Threat model: service I am not aware of or that I accidentally make listen
|
|
wider than intended, with UFW I am aware of what ports are allowed. I assume any
|
|
mobile host is going to move randomly and while some whitelists (especially
|
|
link-local and IPv4 LANs) will overlap and possibly allow access, it's still
|
|
better than being open to the internet and overlay networks that I have
|
|
interacted with recently._
|
|
|
|
This post first has list of commands, then explanations that won't be repeated
|
|
with IPvX ranges.
|
|
|
|
Fedora/firewalld? [n/firewalld](/n/firewalld)
|
|
|
|
```bash
|
|
ufw allow 22/tcp
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
systemctl enable ufw && systemctl start ufw
|
|
ufw enable
|
|
ufw reject 113/tcp
|
|
#ufw allow from 192.168.0.0/16 to any port 123 proto udp
|
|
ufw allow from fe80::/10 to any port 123 proto udp
|
|
#ufw allow from 192.168.8.0/24 to any port 631 proto tcp
|
|
ufw allow from fe80::/10 to any port 631
|
|
#ufw allow from 192.168.8.0/24 to any port 5353 proto udp
|
|
ufw allow from fe80::/10 to any port 5353 proto udp
|
|
#ufw allow from <static:Yggdrasil:IPv6> to any port 5900
|
|
ufw allow 6771/udp
|
|
ufw allow from fe80::/10 to any port 9001 proto udp
|
|
ufw allow 60000:61000/udp
|
|
```
|
|
|
|
- 22 TCP/ssh — Allow acces to SSHd you don't want to lock yourself out.
|
|
- previously I used `ufw limit` but it seems to be too oversensitive, just use
|
|
SSHGuard.
|
|
- Deny incoming connections unless the port has been whitelisted.
|
|
- Allow all outgoing connections, keeping list of authorized ports would be too
|
|
much for me.
|
|
- Start ufw on boot and now (I am not sure if this step is required, but better
|
|
safe than sorry).
|
|
- Put the firewall in force.
|
|
- 113 TCP/ident — Tell "Connection refused" to whoever tries to reach port 113.
|
|
This makes ident checking IRC servers connect faster as they don't have to
|
|
timeout. If you run shell server (for IRC purpouses) you should allow this
|
|
instead. And if you don't use IRC or don't care about having to wait for the
|
|
check to timeout, don't do this as you may leave yourself visible to random
|
|
port scanners.
|
|
- 123 UDP/NTP - syncing time between local hosts
|
|
- 631 both/cups — Allow access to cups for printer sharing from 192.168.8.xxx
|
|
- fe80:://10 is link-local address existing _everywhere_ IPv6 is enabled,
|
|
check your `ip addr` or on Windows `ipconfig /all` for fun.
|
|
- 5353 UDP/mdns/Avahi — used for `.local` addresses.
|
|
- 5900 — VNC port at least for `krfb kdrc` (KDE Remote Desktop server & client).
|
|
I tend to only allow it from specific Yggdrasil address(es).
|
|
- 6771/udp —
|
|
[Bittorrent Local Peer Discovery](http://bittorrent.org/beps/bep_0014.html)
|
|
- 9001/udp — [Yggdrasil](https://yggdrasil-network.github.io/) automatic peering
|
|
port only on link-local.
|
|
- 60000:61000 UDP/mosh — I feel this is the most insecure part of this setup and
|
|
there should be something bettter instead of this. As something evil could run
|
|
and listen on these ports.
|
|
|
|
_If some host doesn't run some of the mentioned service, it's not open in the
|
|
firewall._
|
|
|
|
KDE Connect which seems painful enough to list separately and doesn't seem to
|
|
work IPv6-only or I am too impatient.
|
|
|
|
```bash
|
|
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto tcp
|
|
#ufw allow from 192.168.8.0/24 to any port 1714:1764 proto udp
|
|
ufw allow from fe80::/10 to any port 1714:1764 proto tcp
|
|
ufw allow from fe80::/10 to any port 1714:1764 proto udp
|
|
```
|
|
|
|
EXTRA:
|
|
|
|
If you need WLAN tethering, edit `/etc/ufw/sysctl.conf` and:
|
|
|
|
```
|
|
ufw route allow in on enp3s0 out on wlp2s0
|
|
ufw route allow in on wlp2s0 out on enp3s0
|
|
```
|
|
|
|
I am not sure if both rules are required, enp3s0 is the ethernet interface and
|
|
wlp2s0 the wireless one. I think it would make sense for only the first to be
|
|
required.
|
|
|
|
---
|
|
|
|
Last updated: 2020-10-26 |
|
|
[GitHub changelog](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-06-12-ufw.md)
|
|
|
|
|
[Blesmrt Gitea changelog](https://gitea.blesmrt.net/mikaela/mikaela-info/commits/branch/master/_posts/2015-06-12-ufw.md)
|